When merchants sign a deal which has a payment processor, they agree to be subject to fines when they are unsuccessful to take care of PCI DSS compliance. PCI compliance is divided into four levels, according to the once-a-year quantity of credit history or debit card transactions a business processes. https://www.nathanlabsadvisory.com/fedramp.html
